[00:00.860 --> 00:03.420]  I don't like when they play it, but whatever.
[00:06.860 --> 00:09.060]  Okay, we are live.
[00:11.730 --> 00:21.290]  Hi everyone, thanks for coming to Indicators of Emulation Extra Spicy Adversary Emulation.
[00:21.510 --> 00:25.170]  And we will just get started and go at it.
[00:25.170 --> 00:28.110]  And really quick, next slide please.
[00:31.100 --> 00:34.980]  Before I say anything, I have to do this for the lawyers.
[00:34.980 --> 00:40.320]  And say that any opinions and anything that I say or do is just me.
[00:40.320 --> 00:43.680]  And I'm not representing my company at all.
[00:43.780 --> 00:46.240]  It's in an individual capacity.
[00:46.500 --> 00:52.480]  And not the views of my employer, not the views of his employer, period.
[00:52.740 --> 00:54.180]  Yeah, that goes for me as well.
[00:54.700 --> 00:58.320]  Yeah, we both have our lawyer disclaimers.
[00:58.760 --> 01:02.260]  So I'm going to start with a little bit of story time.
[01:02.260 --> 01:05.140]  Back at B-Side Chicago.
[01:06.420 --> 01:08.020]  Okay, there we go.
[01:08.020 --> 01:12.840]  Back at B-Side Chicago 2019, Matt Kelly did a really great talk.
[01:12.840 --> 01:18.600]  And it was called Threat Emulation Adversary Focused Red Teams.
[01:18.620 --> 01:24.720]  And in it, he got me thinking about how CTI can benefit RED.
[01:24.720 --> 01:28.940]  All things RED. Adversary Emulation, Perp Team, all of that.
[01:28.940 --> 01:33.400]  And so, you know, I'm working on a doctorate at Marymount University.
[01:33.400 --> 01:39.020]  And I decided to incorporate the thing that I'm curious about into my research.
[01:39.100 --> 01:43.620]  And conducting, you know, reading tons of articles and all of that.
[01:43.620 --> 01:49.880]  I came to the kind of conclusion that there's really minimal information out there.
[01:49.880 --> 01:54.360]  As far as like the practice of CTI applied towards RED teaming.
[01:54.360 --> 01:58.120]  It seems more focused on BLUE team stuff.
[01:58.120 --> 02:05.820]  Like extracting indicators of compromise, IOCs, and helping defenders defend the organization.
[02:05.820 --> 02:08.920]  And so, of course, there's Atomic RED team and all of that.
[02:08.920 --> 02:12.420]  I'm talking specifically about the trade practice CTI.
[02:12.420 --> 02:16.240]  Traditionally, it's for BLUE and not necessarily RED.
[02:16.400 --> 02:18.800]  So, fast forward a little bit.
[02:18.800 --> 02:23.820]  And I got curious about Bryson Bort and Sai's marketplace.
[02:23.820 --> 02:34.220]  And in it, basically, they are putting together something where people can build out capabilities for threat actors for organizations to use.
[02:34.220 --> 02:36.920]  And I thought, oh, my God, that sounds like so much fun.
[02:36.920 --> 02:38.720]  I kind of want to do it.
[02:38.720 --> 02:42.260]  And so, Bryson got me in touch with Adam Maschini.
[02:42.260 --> 02:52.100]  And Adam pointed out that basically, if you look at the threat Intel reports, they have commands and very, very detailed for Linux.
[02:52.100 --> 02:55.160]  But Windows, not so much.
[02:55.180 --> 02:59.340]  And that semester, I happened to be in a malware analysis course.
[02:59.340 --> 03:04.760]  And I'm like, hmm, maybe I can make this my project for the year.
[03:04.780 --> 03:08.380]  So, I decided, why not?
[03:08.380 --> 03:10.560]  Why not explore it a little bit further?
[03:10.800 --> 03:13.640]  So, I decided to take it on.
[03:13.640 --> 03:16.340]  And I was like, it will be easy.
[03:16.340 --> 03:24.700]  All I have to do is just enable command line logging and maybe some PowerShell as an extra, you know, thing.
[03:24.880 --> 03:26.800]  And it will be really easy.
[03:26.800 --> 03:27.820]  Not hard at all.
[03:27.820 --> 03:29.740]  Like, I already know where to get all the samples.
[03:29.740 --> 03:31.580]  There won't be any problems.
[03:32.540 --> 03:33.580]  Yeah.
[03:34.160 --> 03:37.020]  So, I got a VM from Windows.
[03:37.020 --> 03:38.260]  So, Windows 10.
[03:38.260 --> 03:43.380]  And then I enabled all the logging for the Windows command line and PowerShell.
[03:43.380 --> 03:48.820]  I used Michael Gao's, let's see, malware archaeology.
[03:48.920 --> 03:52.200]  And lots of Googling to make sure I had it all right.
[03:52.280 --> 03:57.860]  And believe it or not, disabling all of the security on Windows 10, like, holy, holy hell.
[03:57.860 --> 04:02.700]  Like, it was a lot of work to be able to just execute malware.
[04:03.380 --> 04:08.400]  With the infection rates, I was expecting it would be easy to just, you know, point and click.
[04:08.400 --> 04:10.360]  But I was wrong.
[04:10.360 --> 04:13.000]  So, I just want to do...
[04:14.700 --> 04:16.140]  Oh, next slide.
[04:16.140 --> 04:17.680]  A couple next slides.
[04:23.280 --> 04:24.320]  Back.
[04:25.980 --> 04:27.160]  Yes, that one.
[04:27.160 --> 04:34.680]  So, I just want to do a really brief shout out to Windows and Microsoft.
[04:34.680 --> 04:36.620]  And say, thank you so much.
[04:36.620 --> 04:40.860]  You've done a really good job at protecting us, everyone.
[04:41.560 --> 04:45.220]  He made it really hard for me to click and point.
[04:45.220 --> 04:48.220]  And it required a lot of disabling.
[04:48.400 --> 04:49.600]  Next slide, please.
[04:50.820 --> 04:52.720]  So, these are the results.
[04:52.720 --> 04:57.820]  What I did is I wanted to create a baseline since it was for an actual doctoral class.
[04:57.820 --> 05:02.660]  So, I had to have some sort of methodology behind it to be able to explain.
[05:02.940 --> 05:07.780]  So, when you look over the command line logging, it's a little...
[05:07.780 --> 05:11.420]  It can get a little confusing because stuff goes on.
[05:11.420 --> 05:18.420]  And before I introduce malware, I wanted to make sure that I understood what the heck was going on first.
[05:18.420 --> 05:23.800]  So, I wanted to create a control that I knew was not malicious and doing weird stuff.
[05:23.800 --> 05:26.840]  And before I introduce the craziness.
[05:26.920 --> 05:28.880]  So, there are three options.
[05:28.880 --> 05:32.020]  One is issuing the commands yourself, which I did.
[05:32.100 --> 05:35.040]  The next one was Atomic Red Team.
[05:35.040 --> 05:37.840]  So, I used Atomic Red Team, installed it.
[05:37.840 --> 05:40.760]  Shout out to the Atomic Red Team crew.
[05:41.040 --> 05:44.460]  It was so easy. I just followed the instructions.
[05:44.600 --> 05:51.680]  And I was able to get it up and running and done and tested in almost no time.
[05:51.680 --> 05:54.460]  It was ridiculous how easy it was.
[05:54.560 --> 05:57.760]  And then finally was testing malware.
[05:58.000 --> 06:01.840]  So, I created a test malware, I call it.
[06:01.840 --> 06:04.380]  It just pops calc, essentially.
[06:04.380 --> 06:07.480]  I compiled a C++ binary.
[06:07.820 --> 06:17.100]  And I used Sector 7's Red Team Operator malware dev course to, I guess, learn how to compile C++ binaries.
[06:17.100 --> 06:19.720]  So, that was fun. It was very benign.
[06:19.720 --> 06:23.160]  The code is right up there on the left-hand side. It just pops calc.
[06:23.160 --> 06:33.140]  And the other problem I had, if you can see on the right-hand side, all of the no's for command line arguments.
[06:33.140 --> 06:35.900]  I'm like, what the heck am I doing wrong?
[06:36.300 --> 06:39.800]  Why can't I figure this out? Why aren't these executing?
[06:39.800 --> 06:45.800]  I went to any run, I did hybrid analysis, malware bizarre, I pulled stuff from virus total.
[06:46.560 --> 06:59.280]  A fun story about that is someone at some place, which I won't name, I asked, hey, I'm having problems executing your samples.
[06:59.280 --> 07:01.000]  What am I doing wrong?
[07:01.060 --> 07:04.700]  I know with any run, you change the .bin to .exe.
[07:05.660 --> 07:09.980]  I even used the file command and checked that it was an executable.
[07:09.980 --> 07:11.440]  Different things, right?
[07:11.900 --> 07:14.980]  And they suggested I speak to Bleeping Computer.
[07:14.980 --> 07:17.540]  Obviously, I'm not going to do that.
[07:18.420 --> 07:22.900]  So there are multiple repositories for malware, and I decided, you know what?
[07:22.940 --> 07:27.560]  I'm having such a hard time with this, I'm just going to go direct to the source.
[07:27.740 --> 07:37.580]  So at URL House, the wonderful thing about that is that when they post fresh samples, they also include the URL.
[07:37.580 --> 07:44.380]  So with the new ones that they posted, I honestly, I just went to the attacker's domain and pulled the malware myself.
[07:45.040 --> 07:47.640]  I was safe, don't worry, I was safe.
[07:48.420 --> 07:50.160]  So next slide, please.
[07:51.020 --> 07:54.880]  So these are the results of when I pulled the malware myself.
[07:54.880 --> 08:02.440]  I ended up getting command line arguments, which was great, but there were still over half that I got nothing.
[08:02.440 --> 08:07.000]  And I'm like, what is going on? Is it me? Is it the malware?
[08:07.000 --> 08:10.420]  Like, what's wrong with this?
[08:10.420 --> 08:11.760]  Next slide, please.
[08:13.240 --> 08:16.200]  So I'm like, oh, there's static analysis, right?
[08:16.200 --> 08:22.540]  So I'll just download Ghidra and Ida, and I'll just fuss around with it and figure it out.
[08:22.540 --> 08:25.720]  And it was a little bit harder than that.
[08:26.040 --> 08:34.340]  I didn't really have the time because it was for a class project too, to sit down and learn all that anti-analysis, anti-VM,
[08:34.340 --> 08:43.120]  and all of that defensive Asian stuff as far as how to defeat it and step through and do that for multiple samples on scale.
[08:43.120 --> 08:46.680]  Like, I didn't have that time. I will in the future, possibly.
[08:47.360 --> 08:51.260]  And also to Joe Slowik, I don't know if you're familiar with him.
[08:51.260 --> 08:53.240]  He's like the meme master.
[08:53.300 --> 08:58.720]  He posted something recently where it was a guy drinking out of a cup of water.
[08:58.860 --> 09:02.920]  And he was like, here, he was like, is this how I drink water?
[09:02.920 --> 09:06.700]  You know, and like, not actually drinking from it.
[09:06.700 --> 09:11.900]  And that's how I felt like when I was working with Ghidra and Ida and all that stuff.
[09:11.900 --> 09:16.620]  So I'm like, whoa, I'm like, I just need to put this down for a second.
[09:16.840 --> 09:18.060]  Next slide, please.
[09:19.640 --> 09:27.240]  So at the DFIR Summit in 2020, this year, Mauer Archaeology himself, he was giving a talk,
[09:27.240 --> 09:30.320]  and I was able to talk to him about some of my problems.
[09:30.320 --> 09:35.360]  And he suggested that I just use a real computer.
[09:35.360 --> 09:38.860]  And I'm like, what? That's like crazy.
[09:39.080 --> 09:46.940]  I would never think to buy a cheap computer and execute it on there to bypass the VM stuff.
[09:46.940 --> 09:49.760]  So I was like, all right, let's do this.
[09:49.760 --> 09:54.200]  Like, I will fully commit to this, and I will buy these computers.
[09:54.200 --> 09:57.300]  So the first one I bought, it was dead on arrival.
[09:57.620 --> 09:59.360]  It did not work.
[09:59.360 --> 10:01.800]  And then the second one ended up working.
[10:01.800 --> 10:03.320]  And next slide, please.
[10:05.940 --> 10:11.540]  So these are the results of what I did is I grabbed a sample,
[10:11.540 --> 10:16.460]  and I wanted to get a good idea as far as what the different sandboxes gave me
[10:16.460 --> 10:23.860]  before I did my actual analysis on a real computer since, you know, whatever.
[10:24.300 --> 10:27.560]  And so on the left-hand corner, you see VirusTotal.
[10:27.560 --> 10:30.600]  And then on the upper part, you see Cape Sandbox,
[10:30.600 --> 10:32.160]  and then the bottom, Joe Sandbox.
[10:32.160 --> 10:35.480]  Joe Sandbox gave more in this instance.
[10:35.480 --> 10:36.820]  Next slide, please.
[10:38.040 --> 10:42.140]  And then this is the actual manual part of it.
[10:42.140 --> 10:49.500]  And it was about 75 pages worth of stuff that I collected from doing it manually.
[10:49.800 --> 10:51.440]  This is just some of them here.
[10:51.440 --> 10:52.640]  Some of them could be helpful.
[10:52.640 --> 10:58.400]  I also grabbed all the PowerShell command line stuff that came out of executing it.
[10:58.400 --> 10:59.700]  Next slide, please.
[11:01.140 --> 11:04.420]  So the funny thing, too, as a threat Intel analyst,
[11:04.420 --> 11:08.600]  I decided to look at threat reports, and it was a Raccoon Stealer sample.
[11:08.600 --> 11:11.280]  So I came across a Cyber Reason blog,
[11:11.280 --> 11:15.200]  because something funny happened while I was executing that one.
[11:15.200 --> 11:19.280]  It asked me if I wanted to install the .NET framework.
[11:19.280 --> 11:23.580]  But then in the threat report, it said that one of the biggest complaints
[11:23.580 --> 11:29.780]  from criminals out there is that the Raccoon Stealer has a very low success rate.
[11:29.780 --> 11:33.440]  And I'm like, well, gee, now I know why.
[11:33.640 --> 11:38.180]  Basically, it would require people, at least with the version of Windows 10
[11:38.180 --> 11:42.280]  that I was using, to install the .NET framework.
[11:42.280 --> 11:48.080]  So that's a little bit of... that's a lot more work involved.
[11:48.080 --> 11:51.060]  You know, if they're like, here's an invoice, read it.
[11:51.060 --> 11:54.120]  It's like, oh, man, I have to install this? Yeah, screw that.
[11:54.120 --> 11:57.300]  Like, I'm just going to move on with my life, right?
[11:57.320 --> 11:58.700]  Next slide, please.
[11:59.220 --> 12:00.480]  Oh, you did it.
[12:00.620 --> 12:06.440]  So then, let's see, Thursday of this week, I had a friend contact me,
[12:06.440 --> 12:13.200]  and he was like, hey, I know you're doing a talk at the DEF CON villages,
[12:13.200 --> 12:18.660]  and if I gave you a blocked, you know, sample from my org
[12:18.660 --> 12:21.400]  that we don't really care about, that's junk data,
[12:21.400 --> 12:22.880]  would you be interested?
[12:22.880 --> 12:27.340]  Would you want to, you know, see what you can do with it, right?
[12:27.340 --> 12:30.880]  And this was about 24 hours prior to a previous presentation.
[12:30.880 --> 12:31.980]  I'm like, sure.
[12:32.100 --> 12:35.560]  I'm like, let's see what I can come up with,
[12:35.560 --> 12:37.660]  and then I will share it with the world.
[12:38.840 --> 12:41.760]  So can I do it? Can I not do it? We'll see.
[12:43.980 --> 12:48.200]  So what I did, I found the sample in VirusTotal,
[12:48.760 --> 12:56.640]  and then I loaded it to AnyRun, and then I also loaded it to Malware Bazaar.
[12:56.640 --> 13:00.280]  So the reason why I loaded it to all these different sandboxes
[13:00.840 --> 13:04.520]  is that Malware Bazaar gives me some really good data.
[13:04.820 --> 13:08.360]  Joe's Sandbox, I obviously don't have a corporate thing
[13:08.360 --> 13:11.660]  because, you know, I was doing this as an independent researcher,
[13:11.660 --> 13:15.260]  and, you know, if you submit it through Malware Bazaar,
[13:15.260 --> 13:17.840]  you get Joe's Sandbox, you get CAPE,
[13:17.840 --> 13:22.800]  you get a lot of good stuff to look at and pivot between
[13:22.800 --> 13:25.040]  when you're building out your reports.
[13:25.080 --> 13:26.980]  And then, of course, VMRay.
[13:29.860 --> 13:33.960]  So just as a little side note, the threat Intel brain in me kicked in,
[13:33.960 --> 13:36.180]  and I'm like, oh, I'm like, I have the sample.
[13:36.180 --> 13:38.160]  I can make them a custom rule.
[13:38.160 --> 13:42.480]  So I looked at the callout for the DNS traffic and pivoted,
[13:42.480 --> 13:45.580]  and it was, of course, a Nigerian-based hosting,
[13:45.580 --> 13:51.620]  not saying that Nigerian hosting is potentially malicious, whatever,
[13:51.620 --> 13:57.620]  but I pivoted off of it, and I found four additional samples that were malicious.
[13:57.620 --> 14:03.080]  So what I did is I created a custom YARA rule using diff and virus total,
[14:03.080 --> 14:05.740]  and then I passed that along to my contact.
[14:05.740 --> 14:08.720]  And then the next step was I looked up MITRE ATT&CK,
[14:08.720 --> 14:12.740]  because I'm like, okay, I know that it is Hawkeye,
[14:12.740 --> 14:18.560]  and I know that MITRE ATT&CK kind of makes my life easy sometimes
[14:18.560 --> 14:21.180]  and has stuff already done for me.
[14:21.180 --> 14:23.880]  And lo and behold, I look at MITRE ATT&CK,
[14:23.880 --> 14:27.480]  and no, they don't have what it is that I need.
[14:27.480 --> 14:29.620]  So that means I need to create it from scratch.
[14:29.620 --> 14:31.380]  But how do I do that?
[14:34.380 --> 14:41.760]  So then I use a framework, and I use the MITRE ATT&CK tactics to guide my research.
[14:41.760 --> 14:48.440]  And this is a printout from Joe Sandbox, where they kind of map the different behaviors
[14:48.440 --> 14:53.520]  and TTPs of the particular malware sample that we have.
[14:54.040 --> 14:55.540]  Next slide, please.
[14:55.860 --> 15:01.160]  So for initial access, it was an email with an XE attachment,
[15:01.160 --> 15:04.780]  and the subject said, invoice attached!
[15:05.280 --> 15:07.940]  And it can propagate through USB.
[15:08.420 --> 15:11.680]  As you can see here, on the left-hand side,
[15:11.680 --> 15:15.700]  you see the raw sample of the email, and it says reverse invoice.
[15:15.700 --> 15:17.200]  That was really funny.
[15:17.620 --> 15:22.220]  And I decided to go to the domain in there just to see what was up with it.
[15:22.220 --> 15:25.460]  And that's the yellow thing on the right-hand side.
[15:25.460 --> 15:28.620]  And then the sender, the sender down at the bottom,
[15:28.620 --> 15:35.400]  it was actually a Nigerian company as well that was sending the malicious XE.
[15:36.020 --> 15:39.740]  So I, of course, passed that along to my contact.
[15:40.280 --> 15:42.640]  So, next slide.
[15:43.260 --> 15:45.400]  So now we have execution.
[15:45.400 --> 15:51.820]  And of course, user execution is required, and that's T1204.002.
[15:51.820 --> 15:54.280]  And it was execution of a malicious file.
[15:54.280 --> 15:55.340]  Next slide.
[15:57.060 --> 16:02.320]  And now we have WMI, T1047.
[16:03.900 --> 16:08.140]  And so what I wanted to do, since I had a very short amount of time,
[16:08.140 --> 16:10.500]  and I had a lot of stuff to get through,
[16:10.500 --> 16:16.360]  so what I did is I created a process in order to parse all of this and get it out.
[16:16.720 --> 16:21.140]  Basically, I go to the Joe's Sandbox MITRE ATT&CK section,
[16:21.140 --> 16:26.940]  and then I go to the Joe's Sandbox specific entry in the report,
[16:26.940 --> 16:30.720]  which you can see down at the bottom, the box thing,
[16:30.720 --> 16:33.960]  that's the specific entry that I'm talking about.
[16:33.960 --> 16:39.420]  And then I check Atomic Red Team to see if there's anything that's related to that,
[16:40.140 --> 16:44.860]  such as check if AV antivirus firewall program is installed,
[16:44.860 --> 16:47.940]  and then I Google what isn't there.
[16:47.940 --> 16:49.420]  Next slide, please.
[16:51.580 --> 16:58.200]  So when I first did this for T1047 in Atomic Red Team,
[16:58.200 --> 17:02.400]  I didn't find anything that matched the commands that I needed.
[17:02.440 --> 17:07.080]  And so I decided to Google, and I found something on Stack Overflow,
[17:07.080 --> 17:08.740]  so I threw it up there.
[17:08.740 --> 17:12.080]  And later in the presentation, as I was doing my research,
[17:12.080 --> 17:20.800]  I found the T1518.001, and I came back and added it here.
[17:20.840 --> 17:24.760]  So this is a tip, if you do decide to leverage this,
[17:24.760 --> 17:32.140]  that sometimes things will be under different atomic tests, essentially.
[17:32.140 --> 17:33.760]  Next slide, please.
[17:33.900 --> 17:37.780]  So the next one was Native API.
[17:39.320 --> 17:46.520]  And when I went to go look at the specific section of Joe's Sandbox,
[17:46.520 --> 17:52.680]  I searched and searched and couldn't really find anything beyond just the APIs
[17:52.680 --> 17:55.100]  that were involved with that.
[17:55.100 --> 17:59.360]  So then I went to Atomic Red Team, and they had something that had a command
[17:59.360 --> 18:06.000]  that was similar to v4.0.30319.
[18:06.000 --> 18:11.320]  So I did a search in the actual Joe's Sandbox, and I found a command
[18:11.940 --> 18:16.120]  on the command line, but there were no specifics tied with it.
[18:16.120 --> 18:24.520]  So this at least gives a beginning of what XE was being used to interface
[18:24.520 --> 18:28.940]  with the APIs, and the APIs specifically included.
[18:28.940 --> 18:30.420]  Next slide, please.
[18:30.720 --> 18:32.780]  So now we have persistence.
[18:32.780 --> 18:34.000]  Next slide.
[18:34.940 --> 18:40.400]  So I looked at the area, the specific area in Joe's Sandbox,
[18:40.400 --> 18:42.360]  and I found wherefault.
[18:42.360 --> 18:43.840]  Wherefault was the culprit.
[18:43.840 --> 18:46.760]  And I had a hash of wherefault.
[18:46.820 --> 18:52.460]  And so I threw that in a various total, and it looks like it's a legitimate service.
[18:53.120 --> 18:55.020]  So this is interesting.
[18:55.020 --> 18:58.580]  It looks like that one is being used for DLL side loading.
[18:58.580 --> 19:00.880]  Next slide.
[19:00.880 --> 19:04.760]  Next we have privilege escalation.
[19:04.760 --> 19:07.660]  So we have... slide after that, please.
[19:08.460 --> 19:12.120]  So now we have DLL side loading again.
[19:12.400 --> 19:15.100]  Next slide as well.
[19:15.700 --> 19:18.640]  And then we also have process injection.
[19:18.720 --> 19:22.120]  And so there is an atomic red team for this,
[19:22.120 --> 19:26.120]  and I put the command line argument there for that.
[19:26.120 --> 19:27.560]  Next slide.
[19:27.560 --> 19:33.260]  There was a ton of defense evasion with this particular sample of Hawkeye.
[19:33.260 --> 19:43.480]  Everything from invalid code signing to software packing to sandbox evasion to obfuscating files.
[19:43.480 --> 19:45.200]  Next slide, please.
[19:47.540 --> 19:53.420]  So what I did is I tried to pick the one... the previous slide, please.
[19:53.420 --> 20:03.980]  I tried to pick stuff out of the defense evasion that I think red teamers and blue and all of that could be able to take advantage of, essentially.
[20:03.980 --> 20:06.140]  And so one of them was masquerading.
[20:06.200 --> 20:11.280]  This sample created files inside the actual user directory.
[20:11.360 --> 20:17.240]  And so I put the location of what was being created and what it was called and all of that.
[20:17.240 --> 20:20.560]  And there are a ton of tests for atomic red teams.
[20:20.560 --> 20:24.960]  So you can just pull the commands out of that that make sense that fit with this.
[20:24.960 --> 20:26.000]  Next slide, please.
[20:26.580 --> 20:33.100]  So the next one is modify registry, and it stores a large binary data to the registry.
[20:33.100 --> 20:41.340]  And I put the registry key that was changed or modified along with what it looked like.
[20:41.340 --> 20:48.940]  I know that there's stuff that could potentially... I'm sure red teamers are like, hmm, I know what that is.
[20:49.820 --> 20:52.160]  Next slide, please.
[20:53.020 --> 20:57.140]  The next one is hidden files and directories.
[20:57.140 --> 21:06.300]  I couldn't find an atomic red team test specifically for this one for changing Windows Explorer.
[21:06.300 --> 21:10.720]  But I did put the key value that was changed.
[21:10.720 --> 21:12.140]  Next slide, please.
[21:13.780 --> 21:17.900]  So this one is my educated guess.
[21:17.900 --> 21:27.060]  So in the detailed part of the sandbox report, it says that it contains functionality to read the PEB.
[21:27.060 --> 21:34.360]  So from a little bit of exploit dev reading, essentially, you know, you can create shellcode.
[21:34.360 --> 21:44.380]  You know this to walk through the PEB, the process environment block in order to find the address of kernel 32 DLL.
[21:44.380 --> 21:49.640]  And so I made an educated guess that that's what the shellcode was about.
[21:49.640 --> 21:51.340]  Next slide.
[21:51.500 --> 21:54.880]  Next one is credentialed access.
[21:54.920 --> 22:05.320]  So I put in here all the different files that were accessed and stolen from this particular sample.
[22:05.440 --> 22:07.840]  And there is an atomic test for it.
[22:07.840 --> 22:09.200]  Next slide.
[22:09.200 --> 22:11.540]  Next one is discovery.
[22:11.800 --> 22:15.820]  And this one queries a list of running processes.
[22:15.820 --> 22:22.560]  And there is an atomic test for it next or atomic commands that you can take out and put into whatever you use.
[22:22.560 --> 22:25.280]  The next one, remote system discovery.
[22:25.480 --> 22:28.920]  There is an atomic test available for this one as well.
[22:28.920 --> 22:35.540]  And it kind of tells you where to go and what's going on, what's reading and stuff like that.
[22:35.540 --> 22:37.300]  The next one, please.
[22:38.100 --> 22:39.840]  System info discovery.
[22:39.840 --> 22:48.060]  I put the key, the registry key that was queried in there for the particular emulation.
[22:48.060 --> 22:50.320]  And there is an atomic test for this.
[22:50.380 --> 22:51.280]  Next slide.
[22:52.540 --> 22:54.000]  Lateral movement.
[22:54.140 --> 22:57.640]  The only thing that I can talk about... previous slide, please.
[22:57.820 --> 23:05.540]  The only thing that I can talk about... the only thing that I can talk about regarding this is that it replicates via USB.
[23:05.540 --> 23:06.920]  Next slide.
[23:07.480 --> 23:15.160]  So, collection... it steals data from the local system, which is T1005.
[23:15.160 --> 23:17.860]  There is also key logging as well with this.
[23:17.860 --> 23:23.440]  And there are atomic red team commands available for this for you to extract.
[23:23.440 --> 23:24.620]  Next slide, please.
[23:24.620 --> 23:28.940]  And it also extracts and archives the collected data.
[23:28.940 --> 23:36.120]  So, my educated guess on this is that it compresses or encrypts the data prior to exfil.
[23:36.120 --> 23:39.040]  So, that is a good behavior to include as well.
[23:39.040 --> 23:43.560]  And there is an atomic red team test with a dependency on PowerShell.
[23:43.560 --> 23:45.140]  Next slide, please.
[23:45.680 --> 23:48.340]  It does grab your clipboard data.
[23:48.340 --> 23:50.460]  And there is an atomic test available.
[23:50.460 --> 23:51.500]  Next slide.
[23:53.540 --> 23:55.400]  Local email collection.
[23:55.400 --> 24:00.180]  It shows all the different files where the information was harvested, essentially.
[24:00.180 --> 24:02.700]  And there is an atomic test for this one.
[24:02.700 --> 24:03.720]  Next slide, please.
[24:04.460 --> 24:06.520]  Okay, C2. Next slide.
[24:06.520 --> 24:16.320]  Here is the various things that were associated with C2 from an encrypted channel and non-application layer protocol.
[24:16.320 --> 24:19.700]  And there are atomic tests available.
[24:19.700 --> 24:20.780]  Next slide.
[24:21.720 --> 24:28.300]  And the thing that I would recommend when you are building this out and looking at the C2 is the C2 matrix.
[24:28.560 --> 24:34.980]  So, you can see right here the various functionalities that all of these different C2s...
[24:35.300 --> 24:37.620]  I think they said that they were at 53 now.
[24:37.620 --> 24:38.680]  There is a ton.
[24:38.680 --> 24:40.560]  And there is a Black Hat talk on it.
[24:41.000 --> 24:43.320]  Black Hat Arsenal talk on it.
[24:43.360 --> 24:45.800]  And Jorge Artiles talks on it a lot.
[24:45.800 --> 24:50.080]  So, he can definitely give you a ton of information about it.
[24:50.720 --> 24:52.400]  C2matrix.com.
[24:52.480 --> 24:56.640]  And use that to pick your C2 that matches with the capabilities.
[24:56.640 --> 24:57.600]  Next slide.
[24:58.840 --> 25:00.540]  So, exfiltration.
[25:00.540 --> 25:05.980]  I just took that the data is compressed or encrypted.
[25:05.980 --> 25:07.080]  Next slide.
[25:08.140 --> 25:09.120]  So, impact.
[25:09.120 --> 25:14.240]  There really doesn't seem to be a crazy amount of impact like there would be with ransomware.
[25:14.740 --> 25:16.180]  You know, they steal creds.
[25:16.180 --> 25:16.940]  Use them later.
[25:16.940 --> 25:17.820]  Sell them.
[25:17.820 --> 25:20.700]  Who knows what this particular actor is doing.
[25:21.100 --> 25:23.660]  So, now I'm going to add some extra context.
[25:23.740 --> 25:24.760]  Next slide, please.
[25:24.760 --> 25:28.340]  So, I looked at the Yara rule specifically in Malware Bazaar.
[25:28.340 --> 25:31.220]  And I saw that it was kind of... it was really active.
[25:31.220 --> 25:33.480]  Like, it was still getting a lot of samples.
[25:33.480 --> 25:34.760]  So, not stale.
[25:34.760 --> 25:35.980]  Next slide, please.
[25:37.760 --> 25:38.860]  And you'll see...
[25:39.440 --> 25:41.140]  So, I went to Malware Bazaar.
[25:41.140 --> 25:42.220]  And then I pivoted out.
[25:42.220 --> 25:43.700]  Looked at the Yara rule.
[25:43.700 --> 25:47.780]  And then I looked at the Joe Sandbox command line.
[25:47.780 --> 25:52.800]  And I saw that this particular Yara rule that was still alerting was from 2015.
[25:52.800 --> 25:57.640]  And they were still using the same string in the command line.
[25:57.640 --> 26:03.100]  So, I'm like, oh, that would be really great to include in adversary emulation exercises.
[26:03.300 --> 26:06.920]  Since it's been pretty consistent for about five years.
[26:07.000 --> 26:08.200]  Next slide, please.
[26:10.300 --> 26:14.180]  So, with this, the HTTP traffic doesn't have a header.
[26:14.180 --> 26:23.160]  And then I put where files, some files that were written, and the process tree for additional context.
[26:23.160 --> 26:24.360]  Next slide, please.
[26:24.360 --> 26:26.880]  It also dropped 11 files.
[26:26.880 --> 26:30.600]  And I put all the different files that were dropped in the different folders.
[26:30.600 --> 26:32.040]  Next slide, please.
[26:32.980 --> 26:34.660]  Other characteristics.
[26:34.800 --> 26:38.860]  Queries connects over DNS, over HTTPS.
[26:39.160 --> 26:44.040]  The thing that was interesting to me is that it used port 0 for listening.
[26:44.890 --> 26:50.300]  And then, you know, injection with create remote thread.
[26:50.300 --> 26:57.160]  So, that sounds like something red team would be interested in knowing that this particular thing does.
[26:57.380 --> 26:59.240]  So, next slide, please.
[26:59.340 --> 27:07.800]  So, basically, I mean, I got someone's throwaway malware sample that they didn't really care about.
[27:07.800 --> 27:09.200]  That was blocked.
[27:09.200 --> 27:12.060]  And I was able to extract all that information.
[27:12.060 --> 27:30.340]  Find out, you know, it was, it used a Nigerian infrastructure from a Nigerian, I'm assuming, compromised company to send, you know, invoices to the particular organization.
[27:30.340 --> 27:38.900]  And built out a thing that they could use to test their defenses regarding adversary emulation exercises.
[27:38.900 --> 27:46.580]  And this was all just from pivoting between multiple sandbox reports and some of my own analysis as well.
[27:46.580 --> 27:48.460]  Not all of it was from Joe's sandbox.
[27:48.460 --> 27:51.960]  I also included some from Kate's sandbox as well.
[27:51.960 --> 27:56.300]  And then, me just looking over the sandbox results as well.
[27:56.300 --> 27:57.640]  Next slide, please.
[27:58.980 --> 28:06.200]  Finally, so what you can do if you decide you want to move forward with this is the purple team exercise framework.
[28:06.200 --> 28:09.440]  Jorge Archiles talks about this.
[28:09.440 --> 28:11.360]  He just released it through Scythe.
[28:11.360 --> 28:13.880]  It's free and available to the community.
[28:14.140 --> 28:26.760]  And it gives you a really good framework in order to be able to process this and to move forward with a purple team exercise.
[28:26.760 --> 28:28.040]  Next slide, please.
[28:30.140 --> 28:37.040]  And CyberWardog, he did a blog post about tracking the hunt team.
[28:37.380 --> 28:42.320]  And so, what I was thinking is that you could do the same thing for purple.
[28:42.320 --> 28:54.300]  And essentially, like track over time and present to your manager or upper management or whomever, like the various TTPs that you've been testing over time.
[28:54.420 --> 28:57.000]  And your coverage with it.
[28:57.000 --> 29:04.320]  Or, you know, for just throwing out random ideas, right?
[29:04.320 --> 29:14.280]  So, you can also use it to track the kind of activity that you're getting from the various malicious items that are being sent to your organization.
[29:14.280 --> 29:22.080]  So, for Nigerian infrastructure, you know, you're like, huh, okay, so they're using these general TTPs.
[29:22.100 --> 29:24.100]  And here's our coverage for it.
[29:24.100 --> 29:25.740]  Here's what we've tested.
[29:25.740 --> 29:30.820]  And basically, the manager can just sit there over time and look at the colors change.
[29:31.440 --> 29:33.940]  So, that would be helpful.
[29:34.720 --> 29:39.740]  But as a CTI analyst, like, I'm not a red teamer.
[29:39.740 --> 29:48.620]  Like, I honestly don't know the commands, whether or not they're right or not, without testing all of them and how to go forward with this.
[29:48.620 --> 29:51.360]  So, this is where the easy button comes in.
[29:51.360 --> 29:55.760]  And I'm going to hand off the presentation to my co-speaker.
[29:56.560 --> 29:57.600]  Hi, everyone.
[29:57.600 --> 29:58.880]  My name's Hayden.
[29:58.880 --> 30:02.580]  I was just listening to you and thinking it was amazing this talk, Thierry.
[30:02.580 --> 30:06.140]  Thank you for inviting me to co-talk with you.
[30:06.140 --> 30:10.640]  So, Thierry was talking about cyber threat intelligence, adversary emulation, purple teaming.
[30:10.640 --> 30:15.560]  And what's happened is that we both were talking back and forwards.
[30:15.560 --> 30:20.900]  I've been a cyber threat intelligence analyst six months ago or years ago for six months.
[30:20.900 --> 30:29.220]  And what happened was I would use to copy and paste indicators such as IP addresses and domains from a report, throw it through ArcSight.
[30:29.420 --> 30:33.560]  So, Thierry was telling me she wants to make it easier for cyber threat intel analysts.
[30:33.560 --> 30:36.800]  So, I started to was into coding and learning Golang.
[30:36.800 --> 30:39.440]  So, I came up with emulate.go.
[30:39.440 --> 30:52.240]  Now, the problem that we were identifying, well, not a problem, but the concern we had with C2 tools such as PowerShell Empire or many of the others is that they can have a steep learning curve.
[30:52.240 --> 30:55.260]  And you need a really deep technical understanding.
[30:55.340 --> 30:57.600]  They can require a lot of dependencies.
[30:57.760 --> 31:04.840]  And they can require a bit of a setup as well to get your same interpreter payload working or things like that.
[31:04.840 --> 31:07.840]  So, most of them can be extremely complex.
[31:07.840 --> 31:18.780]  And we wanted to abstract that away and focus on cyber threat intelligence of initial access and creating it that way.
[31:18.780 --> 31:28.680]  So, the goal was to lower the bar of entry for adversary emulation, abstract away the technicality, focus on initial access, and help people learn.
[31:28.680 --> 31:31.880]  Adversary emulation in Purple Team can be quite advanced.
[31:31.880 --> 31:43.260]  But ultimately, when you get down to it, it's attempting an attack or building an exercise for attack, executing it, and seeing if you detected it or missed it, and then fine-tuning it.
[31:43.440 --> 31:45.160]  So, that's what we were doing.
[31:45.420 --> 31:49.360]  The solution was a client-server implementation.
[31:49.360 --> 31:57.120]  It doesn't have a command line GUI as advanced as Metasploit or Red Team Atomic Framework or anything like that.
[31:57.120 --> 31:59.160]  It doesn't have any payloads or modules.
[31:59.160 --> 32:00.500]  It doesn't have dependencies.
[32:00.500 --> 32:02.000]  It is written in Go.
[32:02.000 --> 32:06.000]  So, if you want to run the Go file, you obviously have to install Go.
[32:06.060 --> 32:07.940]  I think it's been easy to use.
[32:07.940 --> 32:10.320]  I made some obvious command line arguments.
[32:10.760 --> 32:17.840]  It's limited to two things, running execution manually and a list of commands.
[32:17.840 --> 32:19.800]  So, you can say, who am I?
[32:19.800 --> 32:23.260]  You can do a regedit, but you have to manually do it or put it in a file.
[32:23.460 --> 32:26.540]  And then there's basic logging into JSON format.
[32:26.540 --> 32:28.620]  So, let's continue.
[32:28.620 --> 32:37.180]  The basic C2 infrastructure for command and control is, obviously, the admin sits in the cloud and then it connects to the infected machine.
[32:37.180 --> 32:39.260]  So, I was like, okay, let's do that.
[32:39.260 --> 32:53.620]  But with adversary emulation, I really wanted to allow CTI analysts or people who are learning to also test their environment on lateral movement or if one or more systems are infected.
[32:53.620 --> 32:56.620]  So, the parent proxy mode sits in the middle.
[32:56.700 --> 32:59.860]  It receives the commands and forwards them to the child.
[33:00.220 --> 33:02.420]  And that way, it's sort of like a daisy chain.
[33:02.420 --> 33:06.980]  And it just adds a little bit more complexity or functionality for testing.
[33:07.980 --> 33:12.700]  So, again, the modes as any C2 tool are, is it has an admin interface.
[33:12.700 --> 33:18.120]  It runs in the cloud or it pretends to be an external attacker.
[33:18.240 --> 33:23.040]  The parent mode, obviously, proxies the commands back and forwards, but you don't have to use it.
[33:23.040 --> 33:28.820]  The client mode receives the commands from either the admin or parent and executes them.
[33:28.820 --> 33:29.900]  Pretty simple.
[33:29.900 --> 33:38.820]  So, we tried to abstract away everything and help people or even CTI analysts sort of be more beneficial to an adversary emulation.
[33:39.080 --> 33:47.400]  So, the two types of modes I mentioned before is on the left, the normal one, you type host name, who am I, and you can see my machine hidden local.
[33:47.400 --> 33:55.480]  The list one, you just supply a file with a list of commands and it will just run through them automatically and send the results back.
[33:55.480 --> 33:56.900]  So, nice and easy.
[33:58.180 --> 34:09.400]  And the dash log is just into a JSON format with the timestamp of command execution, the command that was executed or requested, and then the results.
[34:09.400 --> 34:20.680]  So, this just allows you as someone, if you're at home or in your org, that if you have 100 commands or you execute them and try the next day, you have timestamps to correlate in your detection tools.
[34:22.680 --> 34:26.700]  So, with my tool, I wanted to add TLS.
[34:26.700 --> 34:32.600]  The reason being is that when you're emulating an adversary, they probably don't use clear text.
[34:32.740 --> 34:36.840]  And I didn't, I was trying to think of things that would get in the way of testing.
[34:36.840 --> 34:48.820]  And if you have a command control tool reaching outside your network, your IPS or something in the cloud, whichever detection tool you have is going to trigger an alert and most probably block it.
[34:49.000 --> 34:53.960]  So, I added some certificates and I was playing with Go and got it working.
[34:54.160 --> 34:59.300]  And I sort of cheated a bit because the idea is to abstract away some of the complexity.
[34:59.300 --> 35:06.380]  So, I didn't want anyone to have to build their own certificates, the X509, the key, the product key, stuff like that.
[35:06.380 --> 35:10.320]  So, what I did is I included it in the files.
[35:10.380 --> 35:13.880]  And when you build them, they're included in the executable or the binaries.
[35:14.280 --> 35:18.980]  And then I marked it as insecure skip verifier, which means that it skips the verification.
[35:19.020 --> 35:21.800]  Because TLS is meant to be tied to a domain.
[35:22.280 --> 35:28.760]  And obviously, if you're putting on different boxes, you're putting in the cloud, you don't want to have to generate a certificate all the time.
[35:28.760 --> 35:30.740]  So, this was just to help make it easier.
[35:30.740 --> 35:37.400]  So, regarding encryption, if you don't know, the clear text version is on the left.
[35:37.400 --> 35:41.720]  And you can see the command being recorded over the network in clear text.
[35:41.720 --> 35:43.600]  And TLS gobbles it.
[35:43.600 --> 35:47.180]  So, it's version 1.3, which I was lucky with, I guess.
[35:47.520 --> 35:55.460]  And then because the tool prints to the screen in all three different modes, malware wouldn't print to the screen.
[35:55.460 --> 35:59.320]  It's great for learning, but it's not so much great for emulation.
[35:59.320 --> 36:04.840]  And I didn't want people detecting the print to the screen or printing to the terminal.
[36:05.080 --> 36:08.520]  So, I wanted you to be able to silence it, and then it would just go blank.
[36:08.520 --> 36:10.700]  And you wouldn't see anything printed to the screen.
[36:10.700 --> 36:12.020]  So, that was my thinking.
[36:12.920 --> 36:15.180]  I did add a pause function.
[36:15.180 --> 36:21.460]  So, in the bottom left here, you can just see that it shows the options running in clear text or logging as on and off.
[36:21.720 --> 36:26.000]  And I mostly did that to only script kitties, just because, why not?
[36:26.000 --> 36:28.680]  In addition to just letting you see the options.
[36:28.680 --> 36:32.640]  And then if you do the dash skip, you can skip this bit.
[36:32.640 --> 36:36.800]  And it will just run through automatically, so you can run it quickly.
[36:36.940 --> 36:39.920]  So, I recorded some demos of this.
[36:39.920 --> 36:45.460]  I wanted to show all the different modes, list and normal, and then the TLS demonstration.
[36:45.620 --> 36:53.920]  And then I also wanted to show a registry edit with BlueSpawn, which is an open source EDR, and a scheduled task execution.
[36:54.060 --> 36:55.940]  So, let's get to that.
[36:58.090 --> 36:59.830]  I will drag it over here.
[36:59.830 --> 37:02.430]  See, I have them all in my folder recorded, ready to go.
[37:02.430 --> 37:05.170]  So, I didn't have any technical issues.
[37:05.190 --> 37:08.810]  The thing here is that it's just a host name in the cloud called Ubuntu.
[37:08.890 --> 37:10.790]  And then I set up a lab.
[37:10.790 --> 37:12.630]  So, this is a domain controller.
[37:13.110 --> 37:18.570]  So, I have the emulate and the executable on Linux, because I was moving over to the Windows file.
[37:18.690 --> 37:21.470]  But it's just ./.emulate.
[37:21.470 --> 37:22.830]  The mode is admin.
[37:22.950 --> 37:25.050]  And then you choose the listening port.
[37:25.210 --> 37:26.910]  Listening IP address and port.
[37:26.910 --> 37:28.370]  So, it's just 8.8.8.8.
[37:28.370 --> 37:29.990]  The options are on the left.
[37:29.990 --> 37:31.430]  You've got your TLS, none.
[37:31.430 --> 37:32.490]  Logging, none.
[37:32.490 --> 37:33.470]  Pause, none.
[37:33.470 --> 37:37.670]  And then it even tells you where to connect the client to.
[37:38.270 --> 37:42.390]  So, when you run the executable, you actually choose client mode.
[37:42.390 --> 37:47.310]  And then you do client connect with the same IP address and the same ports.
[37:47.390 --> 37:49.950]  And it should just connect nice and easily.
[37:50.030 --> 37:55.710]  And you don't have to worry about making sure you've done it right.
[37:55.710 --> 37:56.690]  Yep.
[37:56.690 --> 37:58.270]  And it just works like that.
[37:58.330 --> 38:01.070]  And then you can enter who am I or a host name.
[38:01.070 --> 38:03.390]  Just a nice demo to show it working.
[38:03.590 --> 38:07.810]  And then it prints to the screen on the client side so that you know it's working correctly.
[38:07.910 --> 38:11.250]  And what results it's giving.
[38:11.950 --> 38:14.750]  And then this is why I put silence in.
[38:14.750 --> 38:20.450]  Just so that when the client executes, it doesn't detect I'm printing to the screen.
[38:20.450 --> 38:22.170]  Because that would be rather embarrassing.
[38:23.470 --> 38:26.190]  So, the admin list works this way.
[38:26.190 --> 38:27.590]  The same way.
[38:28.310 --> 38:29.870]  So, we do dot emulate.
[38:29.870 --> 38:31.670]  The mode is admin list.
[38:31.670 --> 38:35.090]  You supply the port and IP with the dash listen again.
[38:35.710 --> 38:38.110]  And my typing is really slow.
[38:38.170 --> 38:41.270]  And then you just do the dash commands with the file.
[38:41.270 --> 38:43.170]  So, it would be commando dot text.
[38:43.170 --> 38:46.010]  And we're attempting to launch it in admin list mode.
[38:46.870 --> 38:49.050]  So, on the client is the same.
[38:49.050 --> 38:50.830]  But you do client list mode.
[38:52.030 --> 38:55.470]  And then you do the IP address and port.
[38:56.110 --> 39:01.650]  So, what happens is when you run it, it should automatically execute it like that.
[39:02.290 --> 39:07.070]  So, we just ran whoamihostnamepowershell.exe OS.
[39:07.070 --> 39:08.350]  Not advanced commands.
[39:08.350 --> 39:09.390]  It's just a demo.
[39:09.390 --> 39:12.150]  And to help you guys see the tool in motion.
[39:12.630 --> 39:14.310]  So, that's how it works.
[39:14.530 --> 39:17.970]  Let me close Windows Media Player.
[39:18.430 --> 39:20.450]  The parent mode is pretty cool.
[39:20.450 --> 39:22.070]  Or at least I think it's pretty cool.
[39:22.070 --> 39:24.970]  So, here I've got Ubuntu on the left.
[39:25.230 --> 39:27.830]  I've got two Windows PowerShells open.
[39:28.450 --> 39:32.410]  And then I'm just using the admin dash listen mode in port 999.
[39:32.530 --> 39:35.090]  And then I'm just using dash parent mode.
[39:35.090 --> 39:37.010]  And then the flags are pretty simple.
[39:37.010 --> 39:38.870]  So, it's dot parent connect.
[39:38.870 --> 39:40.510]  Where is the parent going to connect to?
[39:40.510 --> 39:41.870]  It's the admin server.
[39:42.010 --> 39:46.810]  And then dash parent listen is what port is it going to listen on?
[39:46.850 --> 39:47.670]  So, it makes sense.
[39:47.670 --> 39:48.530]  Nice and easy.
[39:48.530 --> 39:49.930]  And then emulate dot exe.
[39:49.930 --> 39:51.150]  The mode is client.
[39:51.150 --> 39:53.970]  Client connect connects to the parent.
[39:54.110 --> 39:56.350]  And then it just forwards the commands through.
[39:56.470 --> 39:59.030]  So, when you're in your org or you're learning at home.
[39:59.030 --> 40:01.230]  You can do more than one machine.
[40:01.370 --> 40:02.710]  Which is pretty cool.
[40:02.710 --> 40:04.770]  And here I typed netstat incorrectly.
[40:04.770 --> 40:07.150]  That's why it doesn't quite work.
[40:09.840 --> 40:11.060]  And yeah, there you go.
[40:13.320 --> 40:17.040]  So, the basic logging format, again, is in JSON.
[40:17.040 --> 40:18.540]  So, if I skip through.
[40:18.860 --> 40:20.980]  I've just done admin list.
[40:20.980 --> 40:23.760]  The listen with the IP address and port again.
[40:23.840 --> 40:24.900]  The dash command.
[40:24.900 --> 40:26.960]  Because we're going to execute in command.
[40:27.360 --> 40:29.940]  And then dash log with the name emulog.
[40:29.940 --> 40:32.440]  Which will create emulog dot JSON.
[40:32.480 --> 40:33.680]  Simple as that.
[40:33.680 --> 40:37.040]  And then on the client mode, you don't have to do the logging.
[40:37.040 --> 40:39.600]  It's only the admin interface that logs.
[40:39.600 --> 40:41.000]  Which is more realistic.
[40:41.000 --> 40:42.200]  But I guess you could.
[40:42.200 --> 40:46.040]  I could build logging for the client if everyone demands it.
[40:46.040 --> 40:46.940]  Or if it's useful.
[40:46.940 --> 40:49.540]  But I thought just doing it on the admin was fine.
[40:50.660 --> 40:56.220]  And then if I skip through and you get the emulog dot JSON file, it's pretty ugly.
[40:56.220 --> 40:57.360]  It's just there.
[40:57.360 --> 40:58.960]  It's just basic JSON.
[41:00.560 --> 41:02.680]  I think that's it.
[41:02.740 --> 41:06.440]  If you put it in nano, it is actually in a JSON object.
[41:06.440 --> 41:10.120]  So, it's got the time, the command, and the output that it receives.
[41:10.120 --> 41:14.060]  So, that allows you to correlate between the different detection tools.
[41:15.580 --> 41:18.720]  The TLS option is pretty similar.
[41:18.720 --> 41:20.680]  You just add dash TLS.
[41:20.800 --> 41:26.100]  So, as you can see here, it's emulate dash mode admin dash listen.
[41:26.100 --> 41:30.880]  I did port 000 just to show that it can listen multiple interfaces.
[41:30.940 --> 41:34.140]  But dash TLS is really the important key here.
[41:34.400 --> 41:38.160]  And then on the client side, you also need to put dash TLS.
[41:38.160 --> 41:39.680]  Otherwise, the handshake won't work.
[41:39.680 --> 41:43.400]  It will think SSL on one end and non-SSL on the other.
[41:44.240 --> 41:45.760]  And then you run that.
[41:45.760 --> 41:49.260]  And I'm just using Wireshark to show that the encryption actually works.
[41:49.260 --> 41:51.040]  I'm not talking out my ass.
[41:51.320 --> 41:53.700]  But yeah, it does the client hello handshake.
[41:53.700 --> 41:55.420]  And you're off to the races.
[41:55.420 --> 41:56.840]  So, that's pretty cool.
[41:57.900 --> 42:00.620]  And it also works with PowerShell and that stuff.
[42:02.220 --> 42:04.360]  After it executes and runs through.
[42:09.680 --> 42:12.900]  This one is to show just some recon commands.
[42:13.020 --> 42:17.320]  So, Xena Oterio was giving me her research.
[42:17.320 --> 42:20.780]  And there was one that executed multiple recon commands.
[42:20.780 --> 42:23.380]  And one was even the WLAN export profile.
[42:23.380 --> 42:27.780]  But I left it in because I thought it would be funny being in AWS.
[42:27.780 --> 42:31.060]  It doesn't have a Wi-Fi profile.
[42:31.340 --> 42:32.900]  So, that's the file.
[42:33.600 --> 42:34.780]  You add it in.
[42:34.780 --> 42:36.280]  And the log name is advanced.
[42:36.280 --> 42:39.160]  And so, it will become advanced.json.
[42:39.460 --> 42:43.200]  And then I just already have it in the Windows CMD.
[42:43.200 --> 42:44.520]  It clicks through.
[42:44.520 --> 42:45.620]  It runs it.
[42:45.620 --> 42:48.140]  And it all logs to a JSON file.
[42:48.220 --> 42:50.440]  Even though it's quite a lot of output.
[42:50.840 --> 42:55.840]  And then I use jQuery just to see how it's ugly when you cap the file.
[42:55.840 --> 42:57.000]  Because it's JSON.
[42:57.140 --> 43:00.180]  But if you use jQuery, it's a little bit better formatted.
[43:00.580 --> 43:02.620]  You could probably clean it up a lot better.
[43:02.620 --> 43:05.520]  But it was just, I made it larger for the demo.
[43:05.540 --> 43:09.000]  And you can see that it executes CMD slash C.
[43:09.180 --> 43:12.420]  And then it creates the results.
[43:15.440 --> 43:16.360]  Close, close.
[43:16.360 --> 43:16.680]  All right.
[43:16.680 --> 43:17.460]  Cool.
[43:19.220 --> 43:26.560]  So, the research Xena gave me, there was a registry add command with environment CMD start.
[43:26.560 --> 43:27.480]  Things like that.
[43:27.480 --> 43:35.960]  I wanted to show a demo where this registry add can actually be tipped by an open source EDR called bluespawn.
[43:35.960 --> 43:44.940]  So, in an example of doing something real world, or in the effort to do so, we have it set up here.
[43:44.940 --> 43:46.420]  I'm listening on port 44.
[43:46.460 --> 43:53.240]  We're going to execute bluespawn, which is an open source EDR, to see if we can trip it.
[43:53.240 --> 43:54.660]  Or it detects something.
[43:55.080 --> 43:58.020]  So, then we're going to go into client mode with TLS.
[43:58.720 --> 44:00.480]  And then, as you can see, I'm admin one.
[44:00.480 --> 44:02.700]  Because that's the only way I could really execute.
[44:03.160 --> 44:04.680]  And then I copy paste.
[44:04.680 --> 44:06.460]  But I do this in PowerShell.
[44:06.860 --> 44:09.100]  Just because I felt like it.
[44:13.390 --> 44:14.890]  And then it goes through.
[44:14.890 --> 44:17.810]  It's reported as completing successfully.
[44:18.630 --> 44:21.690]  And you can see, even on the client, it shows you.
[44:21.690 --> 44:28.870]  And then when you go to bluespawn, you can see the MITRE technique, T1183, and the registry edit.
[44:28.970 --> 44:31.330]  So, this was actually from some training.
[44:31.430 --> 44:35.930]  I did this regedit, and they did a demo with bluespawn.
[44:35.930 --> 44:44.050]  I thought it would be great to show everyone how the tool can be used in the idea of adversary emulation.
[44:44.910 --> 44:51.710]  Now, the next one we wanted to show was a scheduled task slash job, which is T1053 in the MITRE framework.
[44:51.990 --> 44:56.390]  And this was from Cape Sandbox 32597.
[44:56.690 --> 44:59.930]  So, it's scheduled tasks, and it creates...
[45:00.790 --> 45:03.250]  Scheduled tasks, it executes when someone logs on.
[45:03.250 --> 45:04.990]  So, it's a typical persistence mechanism.
